Folks, This will be a great session. See you there! Subject: "Network Locality, and Anomaly Detection in the Ourmon Network Monitoring System" (The same talk Jim gave to CERT recently) Speaker: Professor Jim Binkley, CS Dept, Portland State University Jim's Topic Overview: In this talk I am going to first introduce the open-source ourmon network monitoring system, which is somewhat similar to a traditional SNMP rmon probe, but instead uses the Berkeley Packet Filter, and port-mirroring on Ethernet switches. Then I will present two recent research efforts, first including a large section on TCP and UDP worm detection and a shorter discussion of a measurement project aimed at learning what happens when network monitoring equipment is attacked by gigabit-sized flows. The worm detection discussion will present the thesis that looking at the local network-based control plane including TCP control packets, ICMP errors, and second-order information like flow counts is useful in anomaly detection. The gigabit flow measurement research was motivated by the slammer attacks in early 2003. We will present our measurement results and security concerns in reference to network monitoring of maximum MTU and minimum-sized Ethernet packets on a Gigabit Ethernet channel. Jim's Bio: Professor Binkley (http://www.cs.pdx.edu/~jrb) is a teacher, network engineer and researcher at Portland State University. He has a M.S. degree in Computer Science from Washington State University and a B.S. in Chinese Literature. Jim has about two decades worth of experience in local industry as a senior network engineer and network consultant working with TCP/IP networking, UNIX and real-time operating systems (VxWorks). He currently teaches a graduate sequence of networking courses at Portland State including network security and Linux or FreeBSD o.s. internals classes. His research interests include network security, wireless mobile networking, and network management. In the recent past, Jim has acted as a principle investigator, along with John McHugh in the DARPA-funded Secure Mobile Networks project. Jim is currently working on a number of projects including turning his ourmon network monitoring system into an anomaly detection system. Jim suffers from being the director of the NSA certified PSU Center of Academic Excellence in Information Assurance. _______________________________________________ C.r.i.m.e.-announce mailing list C.r.i.m.e.-announce@private http://lists.whiteknighthackers.com/mailman/listinfo/c.r.i.m.e.-announce
This archive was generated by hypermail 2b30 : Mon Jun 07 2004 - 08:51:45 PDT